Interesting how security breaches seem
to grow beyond the initial size reported...
U.
Nebraska breach also affected state colleges
June 1, 2012 by admin
Oh ho… so it wasn’t just U. of
Nebraska affected by the hack reported May 23. The Lincoln
Journal Star reports:
Nebraska State
College System officials have been notified that their records were
included in a security breach reported last week by the University of
Nebraska in late May.
The State College
System and NU began using a shared student information system known
as NeSIS in 2009.
Investigation into
the May 23 breach initially indicated it affected
only the NU system, but State College Chancellor Stan
Carpenter said he was notified Wednesday it also included data for
the Chadron
State, Peru State
and Wayne State
colleges.
Read more on Lincoln
Journal Star.
“We noticed that your answer did not
actually contain an answer...”
By Dissent,
June 1, 2012
At least some members of Congress are
not happy with the response to a letter
they sent TRICARE following the theft of backup
tapes from the unattended vehicle of an employee of their contractor,
SAIC. The tapes contained information on
approximately 5 million military beneficiaries and their dependents.
Although TRICARE’s response was not
disclosed publicly, Rep. Ed Markey and colleagues from the bipartisan
privacy caucus quoted portions of the response in a follow-up letter
they sent to TRICARE on May 7.
Citing SAIC’s “history of serious
security failures,” the members note that “it is disturbing that
TRICARE engaged this contractor for such sensitive work.” They
also note that it was not clear from TRICARE’s
response whether TRICARE actually spot-checked SAIC or verified that
it was implementing its Business Associate Agreement.
The members also criticized TRICARE for
failure to deploy encryption even after this latest breach and for
continuing to use unsafe methods of physically transmitting data
instead of switching to secure virtual private networks. Although
VPN is reportedly under consideration by TRICARE, no decision has as
yet been made.
The congressmen called on TRICARE to
provide more details about their security measures and to deploy
encryption and better security measures to protect data. They also
point out that at least some people have been paying for medical
identity protection out of pocket because TRICARE and SAIC refused to
provide such coverage.
Related: 5-7-12
Response to TRICARE (pdf)
What are the ethics of CyberWar?
"U.S. officials have
acknowledged playing a role in the development and deployment of
Stuxnet, Duqu and other cyberweapons against Iran. The
acknowledgement makes cyberattacks more legitimate as a tool of
not-quite-lethal international diplomacy. It also legitimizes them
as more-combative
tools for political conflict over social issues, in
the same way Tasers gave police less-than-lethal alternatives to
shooting suspects [There
is an assertion that needs to be challenged. Bob]
and gave those who abuse their power something other than a club to
hit a suspect with. Political parties and single-issue political
organizations already use 'opposition research' to name-and-shame
their opponents with real or exaggerated revelations from a checkered
past, jerrymander districts to ensure their candidates a victory and
vote-suppression or get-out-the-vote efforts to skew vote tallies.
Imagine what they'll do with custom malware, the ability to DDOS an
opponent's web site or redirect donations from an opponent's site to
their own. Cyberweapons may give nations a way to attack enemies
without killing anyone. They'll definitely give domestic political
groups a whole new world of dirty tricks to play."
(Related) CyberWar uses undetectable
weapons?
Why
Antivirus Companies Like Mine Failed to Catch Flame and Stuxnet
A couple of days ago, I received an
e-mail from Iran. It was sent by an analyst from the Iranian
Computer Emergency Response Team, and it was informing me about a
piece of malware their team had found infecting a variety of Iranian
computers. This turned out to be Flame: the malware that has now
been front-page
news worldwide.
When we went digging through our
archive for related samples of malware, we were surprised to find
that we already had samples of Flame, dating back to 2010 and 2011,
that we were unaware we possessed. They had come through automated
reporting mechanisms, but had never been flagged by
the system as something we should examine closely.
Researchers at other antivirus firms have found evidence that they
received samples of the malware even earlier than this, indicating
that the malware was older than 2010.
What this means is that all of us had
missed detecting this malware for two years, or more. That’s a
spectacular failure for our company, and for the antivirus industry
in general.
… The truth is,
consumer-grade antivirus products can’t protect against targeted
malware created by well-resourced nation-states with bulging budgets.
… This story does not end with
Flame. It’s highly likely there are other similar attacks already
underway that we haven’t detected yet. Put simply, attacks like
these work.
(Related) How vulnerable is our
infrastructure?
Study:
Yesterday’s Facebook Outage Also Slowed Down Major Media And Retail
Sites
It’s a testament to how important
Facebook has become in the web ecosystem that the social network’s
performance
issues yesterday didn’t just affect the site itself (and its
900 million users) but also a wide variety of other sites as well.
Performance monitoring company Compuware
APM, which analyses the performance of thousands of top sites,
just sent us some interesting data about how Facebook’s problems
yesterday correlated with significant slowdowns across major U.S.
media and retail sites.
As our friends over at GigaOm pointed
out today, “Facebook’s faltering didn’t lead to any
noticeable traffic dip.” According to Compuware’s data, however,
it did affect sites in other ways because of how tightly many media
and retail sites integrate with services like Facebook’s “like”
button, which was also affected by yesterday’s outage.
“Laws are the opiate of the people.”
Court
Wary of Overturning Warrantless Spy Case Victory, But Might Have To
June 1, 2012 by Dissent
David Kravets reports:
A federal appeals
court appeared troubled Friday by the Obama administration’s
arguments that the government could break domestic
spying laws without fear of being sued — and that the
government’s argument might be correct, due to an oversight by
Congress.
A two-judge panel
of the 9th U.S. Circuit Court of Appeals heard an hour of oral
arguments here by the government and a lawyer for two attorneys whom
a federal judge concluded had been wiretapped illegally without
warrants by the government.
Read more on Threat
Level
[From the article:
Justice Department attorney Douglas
Letter told Judge Michael Daly Hawkins and M. Margaret McKeown, both
President Bill Clinton appointees, that they should
dismiss the case outright because the government is immune from
being sued for breaching the Foreign Intelligence Surveillance Act
under a concept known as sovereign immunity.
“We think the simplest way here is
the sovereign immunity argument,” Letter told the panel. He added
that the aggrieved lawyers could sue individual government officials.
But under that scenario, the government would declare the issue a
state secret and effectively foreclose litigation.
“I’m trying to understand the
government’s overall position,” Hawkins said. “The
government’s position is you can’t sue the government, you can
sue anybody else, but who those people are might be a state secret.”
“Correct, your honor,” Letter said
moments later.
Can there be anonymous libel?
Idaho
judge considers anonymous comments lawsuit
June 1, 2012 by Dissent
Nicholas K. Geranios of Associated
Press reports:
A lawyer for The
Spokesman-Review newspaper’s website argued today that people
should be allowed to post anonymous comments on its blogs without
fear of being identified and then sued.
But a Republican
political leader in North Idaho, who is seeking the identities of
three individuals who commented anonymously about her, argued that
she was libeled by a comment and has the right to sue for damages.
Read more on The
Spokesman-Review.
[From the article:
In late April, Jacobson filed a lawsuit
against “John and/or Jane Doe” after an anonymous reader posted a
comment on Huckleberries Online questioning whether $10,000 allegedly
missing from the Kootenai County Central Committee might be “stuffed
inside Tina’s blouse.” [Sounds like humor to me
Bob] Two other anonymous readers posted follow-up
comments.
“You can’t call someone a thief and
expect to get away with it,” Andersen said in court Friday.
[Is it libel? She
admits to being a Politician. Bob]
The opposite of anonymous?
“Juror
One” revisited: Court holds that SCA does not apply
June 1, 2012 by Dissent
You may not remember his name, but
regular readers of this blog will likely remember the case of “Juror
Number One,” a juror who made some comments on Facebook during a
criminal trial. Not surprisingly, the judge investigated the juror
misconduct – or tried to – but hit a snag when it came to
actually seeing the Facebook comments. And that’s when things got
interesting because the judge ordered the juror to consent to
Facebook turning over his material. Juror One objected that it
violated his rights under the Stored Communications Act (SCA), the
Fourth and Fifth Amendments to the Constitution, and his state and
federal privacy rights.
I blogged
about my concerns as the case wound its way through the
California courts.
Yesterday, Venkat Balasubramani alerted
me to a ruling by the California Court of Appeal in Sacramento.
Of note, the court held that the
SCA
did not apply to this situation because Juror One didn’t offer
any rationale to support that claim:
Juror Number One
has provided this court with nothing, either by way of the petition
or the supporting documentation, as to the general nature or specific
operations of Facebook. Without such facts, we are unable to
determine whether or to what extent the SCA is applicable to the
information at issue in this case. For example, we have no
information as to the terms of any agreement between Facebook and
Juror Number One that might provide for a waiver of privacy rights in
exchange for free social networking services. Nor do we have any
information about how widely Juror Number One‟s posts are available
to the public.
As significantly, they note that even
if the SCA did apply to Facebook postings that were only available to
a select group of individuals, it would not apply in this case
because it was not Facebook being ordered to provide the material.
The compulsion was on Juror One to consent, thereby waiving any
rights under the SCA:
… the question
here is not whether respondent court can compel Facebook to disclose
the contents of Juror Number One‟s wall postings but whether the
court can compel Juror Number One to do so. If the court can compel
Juror Number One to produce the information, it can likewise compel
Juror Number One to consent to the disclosure by Facebook. The SCA
has no bearing on this issue.
Sadly, a lot of the most interesting
questions were never addressed because Juror One provided no argument
or support for his claims, allowing the court to just dismiss them
without consideration.
As @bmaz had suggested to me in our
conversation on Twitter, the court noted that any privacy rights must
fall to the Sixth Amendment rights of the defendants in the criminal
trial. Having already demonstrated that juror misconduct definitely
occurred, the court had a right – and duty – to determine if the
Facebook posts indicated any bias or prejudice on Juror One’s part.
While Juror One might think that simply denying any bias should
satisfy the court, the judge had a right to compel production of the
material to determine if there was indication of bias or prejudice.
Of interest to me was the concurring
opinion by Judge Mauro, who expressed the concerns I had raised about
compelled “consent:”
In
essence, the trial court‟s order is an effort to compel indirectly
(through Juror Number One) what the trial court might not be able to
compel directly from Facebook. This is arguably
inconsistent with the spirit and intent of the protections in the
SCA. Compelled consent is not consent at all.
(See, e.g., Schneckloth v. Bustamonte (1973) 412 U.S. 218, 228, 233
[36 L.Ed.2d 854, 863, 866] [coerced consent is merely a pretext for
unjustified intrusion].)
The lead opinion
explains that “[i]f the court can compel Juror Number One to
produce the information, it can likewise compel Juror Number One to
consent to the disclosure by Facebook.” (Maj. opn. at p. 14.)
This may ultimately be true, but here the trial court bypassed a
determination as to whether it could compel Juror Number One to
produce the documents.
The take-home message seems to be that
while courts cannot engage in fishing expeditions, if there’s
evidence of juror misconduct, they may be able to compel the juror to
provide the material, or in the alternative, to compel the juror to
consent to the service provider turning over the material.
Update: Orin Kerr has
also blogged about this case on The
Volokh Conspiracy. We seem to have picked up on the same main
points and issues, but Orin goes further:
My sense, then, is
that the trial court’s order is quite inappropriate. In
effect, the court is trying to trick Facebook into inadvertently
violating the SCA by making Facebook think that there is consent that
allows Facebook to disclose the updates lawfully. If
Facebook’s lawyers catch on, they will realize that this consent is
invalid and should refuse to disclose the status updates to the
court. But depending on how this is presented to Facebook, the folks
at Facebook may not realize that the consent is invalid. Under the
good-faith exception to civil liability, Facebook would probably
escape civil liability in that situation. But the trial court should
not be putting Facebook in this position anyway: Assuming that
executing a scheme to have a party unknowingly violate the SCA
violates the statute, then this would seem to violate the SCA. And
even if executing such a scheme does not technically violate the
statute directly, surely it is inappropriate for a judge to do such a
thing.
What other options
does the court have? The most obvious possibility is that the court
should allow the losing party to subpoena the juror for all of the
status updates during the relevant period that are relevant to the
trial. The solution isn’t perfect. The juror might not comply
with the subpoena, for example. But the Stored Communications Act
limits compelled access to contents of communications directly from
providers, and there does not appear to be an exception that applies
here.
Apparently this is going to stir some
controversy.
Microsoft’s
“Do Not Track” Move Angers Advertising Industry
Microsoft Corp. said it would enable
“do not track” by default in the latest version of its Web
browser, Internet
Explorer 10, a move that angered the online advertising industry.
In
a blog post, Microsoft Chief Privacy Officer Brendan Lynch wrote
that the company made the decision because users should “make a
conscious choice to share information in order to receive more
personalized ad content.”
But the Digital Advertising Alliance, a
coalition that counts Microsoft as a member, said that the decision
ran counter to the industry’s agreement with the White House
announced
earlier this year to honor “do not track” as
long as it is not a default setting.
(Related) A reaction to change?
How
‘Do Not Track’ May Cost You Money
June 1, 2012 by Dissent
Andy Serwin writes:
Giving consumers
choices regarding seeing advertisements on websites, while
recognizing existing business models, has been a focus for many
stakeholders in the privacy debate. Many groups and companies have
worked to create a ‘Do Not Track’ feature that would give
consumers the choice of not seeing advertisements, but in the newest
version of its Internet browser, Internet Explorer 10, Microsoft has
reversed that trend by changing a default setting and turning on its
‘Do Not Track’ tool. The browser’s default setting, set
without consumer input, will now preclude consumers
from seeing advertisements [Not true Bob] on the websites
they visit for free. This undermines long-term prospects of the ‘Do
Not Track’ system which was designed to allow successful Internet
business models to continue.
Read more on The
Lares Institute.
Do Twits own their Tweets? (and their
Facebook pages and their emails and and and )
Battle
over Twitter subpoena heats up
June 1, 2012 by Dissent
News24 reports:
Electronic privacy
advocates on Thursday weighed in on a high-stakes legal fight over
online communications, arguing that a subpoena seeking an Occupy Wall
Street protester’s tweets violates his rights to free speech and
privacy.
The filing from
the American Civil Liberties Union, the Electronic Frontier
Foundation and Public Citizen, Inc supports Twitter’s
position that the individual, Occupy protestor Malcolm Harris and not
Twitter itself, is the owner of the tweets and thus the proper target
for any subpoena.
Manhattan Criminal
Court Justice Matthew Sciarrino jr had earlier ruled that Harris did
not have the standing to challenge the subpoena, which seeks personal
information and all of Harris’ tweets from 15 September through 31
December 2011.
Read more on News24.
Perspective Just as I thought, there
are more Twits every day...
A report coming from the Pew Internet
and American Life Project shows that right around 15 percent of
online adults use Twitter
as of February 2012, with just about 8 percent of them using Twitter
in November of 2010. Where the usage explosion really hits is in the
amount of people who said they used Twitter daily, with 8% of adults
saying they do here in 2012 and 4% of them saying they did in May of
2011.
[The survey is here:
My handouts keep get bigger – this
might be a solution...
Booktype is open-source software that
allows people to write, publish and print e-books within minutes.
… An easy drag-and-drop interface
makes it plain and simple to make an e-book, while tools such as
collaborative proofreaders, editors and contributors make it possible
for organizations to hook up with other people and write an e-book in
a teamwork environment.
The digital book can then be exported
to popular e-book stores such as Amazon, iBooks, Lulu.com, etc. The
e-books are also format-compatible with many e-book readers such as
iPad, Kindle, Nook, and more. To make sure it’s suitable for you,
you can try the online demo and see how Booktype works.
To make use of this amazing software,
just download the code and follow the instructions given on the
website to download the software on to your computer. To install the
software, a person is required to have a web server and knowledge of
how to install software for the web.
Also read related articles:
Could be fun for the Intro to
Programming students...
Google
Blockly Lets Kids Hack With No Keyboard
Google has released a completely visual
programming language that lets you build software without typing a
single character.
Now available on Google
Code — the company’s site for hosting open source software —
the new language is called Google
Blockly, and it’s reminiscent of Scratch,
a platform developed at MIT that seeks to turn even young children
into programmers.
Like Scratch, Blockly lets you build
applications by piecing together small graphical objects in much the
same way you’d piece together Legos. Each visual object is also a
code object — a variable or a counter or an “if-then” statement
or the like — and as you piece them to together, you create simple
functions. And as you piece the functions together, you create
entire applications — say, a game where you guide a tiny figurine
through a maze.
Something to share with my students and
fellow teachers...
Starter
Kit: How to Outfit Your iPad Like an Ivy League Scholar
According
to Princeton University's library, here are the apps that the
library has loaded onto its iPads. Think of it like a starter kit if
you're buying a new iPad and you want to have it outfitted like an
Ivy League researcher.
(Related) A different version of the
list...
Web
Tools to Enhance Learning
Well, I think it's interesting...
Techcrunch
reports that Echo360
has raised $31 million in funding – “As the old school
gives way to the new, technology has begun to play an increasingly
active role in the learning process” is the story lede. Well,
active up to a point, I guess, since Echo360 is a
lecture-capture technology. But hey, throw the “flipped
classroom” into your slide-deck and investors clearly eat that up.
InstaEDU
has raised $1.1 million in seed funding, according
to Techcrunch, for on-demand video tutoring.
Techcrunch
reports that educational app-maker Mindshapes
has raised $4 million in funding.
Udacity
has listed five
new classes that’ll begin summer, all of which greatly expand
the breadth of the startup’s offerings. These include physics,
discrete math and statistics. It’s also
made the official announcement of its partnership with Pearson
testing centers where people will be able to take an optional final
exam in order to be put into the Udacity job recruitment pipeline.